It is critical that all LFS users update their current version of bash
to fix the shellshock bug. [1][2]
All users should update their current version of bash according to the
instructions at:
http://www.linuxfromscratch.org/lfs/view/development/chapter06/bash.html
Note 1: The suffix in bash-4.3-upstream_fixes-4.patch has changed.
Note 2: Older installations of bash versions before 4.3 may also need to
also install readline-6.3.
-----
To see if your current system is vulnerable to CVE-2014-6271, run:
$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
A vulnerable system will display the word 'vulnerable'.
To see if your current system is subject to CVE-2014-7169, run:
$ X='() { (a)=>\' bash -c "echo date"
A vulnerable system with only the fix for CVE-2014-6271 will display
lines similar to:
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
[root@ ec2-user]# cat echo
Fri Sep 26 01:37:16 UTC 2014
A fixed system will only display the word 'date'.
The patch bash-4.3-upstream_fixes-4.patch fixes both CVE-2014-6271 and
CVE-2014-7169.
-- Bruce Dubbs
linuxfromscratch.org
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
--
http://lists.linuxfromscratch.org/listinfo/lfs-announce
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
No comments:
Post a Comment